SYSTEMS AND METHODS FOR PARALLEL PROCESSING OF OCSP REQUESTS DURING SSL HANDSHAKE

US 20110154026A1
Filed: 12/23/2009
Published: 06/23/2011
Est. Priority Date: 12/23/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method of processing an Online Certificate Status Protocol (OCSP) request in parallel to processing a Secure Socket Layer (SSL) handshake, the method comprising:

(a) transmitting, by an Online Certificate Status Protocol (OCSP) responder of an intermediary device between a plurality of clients and one or more servers, an OCSP request to a OCSP server for a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake;

(b) continuing, by the intermediary device, to perform remaining portions of the SSL handshake while the OCSP request to the OCSP server is outstanding;

(c) establishing, by the intermediary device, an SSL connection for the SSL handshake; and

(d) determining, by the intermediary, whether to terminate or maintain the established SSL connection based on the status of the client certificate received via a response from the OCSP server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed towards systems and methods for processing an Online Certificate Status Protocol (OCSP) request in parallel to processing a Secure Socket Layer (SSL) handshake. The method includes transmitting, by an OCSP responder of an intermediary device between a plurality of clients and one or more servers, an OCSP request to a OCSP server for a status of a client certificate responsive to receiving the client certificate from a client during a SSL handshake. The intermediary device may continue to perform remaining portions of the SSL handshake while the OCSP request to the OCSP server is outstanding. The intermediary device may establish an SSL connection for the SSL handshake. The intermediary device may determine whether to terminate or maintain the established SSL connection based on the status of the client certificate received via a response from the OCSP server.

Citations

20 Claims

1. A method of processing an Online Certificate Status Protocol (OCSP) request in parallel to processing a Secure Socket Layer (SSL) handshake, the method comprising:
- (a) transmitting, by an Online Certificate Status Protocol (OCSP) responder of an intermediary device between a plurality of clients and one or more servers, an OCSP request to a OCSP server for a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake;
  
  (b) continuing, by the intermediary device, to perform remaining portions of the SSL handshake while the OCSP request to the OCSP server is outstanding;
  
  (c) establishing, by the intermediary device, an SSL connection for the SSL handshake; and
  
  (d) determining, by the intermediary, whether to terminate or maintain the established SSL connection based on the status of the client certificate received via a response from the OCSP server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (a) further comprises identifying, by the intermediary device, the OCSP responder from a plurality of OCSP responders based on a certificate authority of the client certificate.
  - 3. The method of claim 1, wherein step (a) further comprises transmitting, by the intermediary device, the OCSP request as part of a batch OCSP request to the OCSP server for statuses of a plurality of client certificates.
  - 4. The method of claim 1, wherein step (b) further comprises transmitting, by the intermediary device, to the client a secret key encrypted with a public key while the OCSP request to the OCSP server is outstanding.
  - 5. The method of claim 1, wherein step (b) further comprises generating, by the intermediary device, a random number for a pre-master secret key while the OCSP request to the OCSP server is outstanding.
  - 6. The method of claim 1, wherein step (b) further comprises calculating, by the intermediary device, a master secret key while the OCSP request to the OCSP server is outstanding.
  - 7. The method of claim 1, wherein step (c) further comprises establishing, by the intermediary device, the SSL connection while the OCSP request to the OCSP server is outstanding.
  - 8. The method of claim 1, wherein step (c) further comprises establishing, by the intermediary device, the SSL connection responsive to receipt of the status of the client certificate from the OCSP server.
  - 9. The method of claim 1, wherein step (d) further comprises determining in response to a request from the client via the established SSL connection whether to terminate or maintain the SSL connection based on the status of the client certificate received via the response.
  - 10. The method of claim 1, wherein step (d) further comprises determining to terminate the established SSL connection based on the status of the client certificate corresponding to one of revoked or unknown.

11. A system of an intermediary device for processing an Online Certificate Status Protocol (OCSP) request in parallel to processing a Secure Socket Layer (SSL) handshake, the intermediary device between a plurality of clients and one or more servers, the system comprising:
- an Online Certificate Status Protocol (OCSP) responder of an intermediary device transmitting an OCSP request to a OCSP server for a status of a client certificate responsive to the intermediary device receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake;
  
  an SSL engine of the intermediary device continuing to perform remaining portions of the SSL handshake while the OCSP request to the OCSP server is outstanding and establishes and SSL connection for the SSL handshake; and
  
  wherein the intermediary device determines whether to terminate or maintain the SSL connection based on the status of the client certificate received via a response from the OCSP server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the SSL engine identifies the OCSP responder from a plurality of OCSP responders based on a certificate authority of the client certificate.
  - 13. The system of claim 11, wherein the SSL engine transmits the OCSP request as part of a batch OCSP request to the OCSP server for statuses of a plurality of client certificates.
  - 14. The system of claim 11, wherein the SSL engine transmits to the client a secret key encrypted with a public key while the OCSP request to the OCSP server is outstanding.
  - 15. The system of claim 11, wherein the SSL engine generates a random number for a pre-master secret key while the OCSP request to the OCSP server is outstanding.
  - 16. The system of claim 11, wherein the SSL engine calculates a master secret key while the OCSP request to the OCSP server is outstanding.
  - 17. The system of claim 11, wherein the SSL engine establishes the SSL connection while the OCSP request to the OCSP server is outstanding.
  - 18. The system of claim 11, wherein the SSL engine establishes the SSL connection responsive to receipt of the status of the client certificate from the OCSP server.
  - 19. The system of claim 11, wherein the intermediary device determines in response to a request from the client via the established SSL connection whether to terminate or maintain the SSL connection based on the status of the client certificate received via the response.
  - 20. The system of claim 11, wherein the intermediary device determines to terminate the established SSL connection based on the status of the client certificate corresponding to one of revoked or unknown.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Edstrom, Christofer, Kanekar, Tushar

Application Number

US12/645,893
Publication Number

US 20110154026A1
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

H04L 2209/043   of tables, e.g. lookup, sub...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/60   Digital content management,...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 67/566   Grouping or aggregating ser...

H04L 67/568   Storing data temporarily at...

H04L 9/3268   using certificate validatio...

SYSTEMS AND METHODS FOR PARALLEL PROCESSING OF OCSP REQUESTS DURING SSL HANDSHAKE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR PARALLEL PROCESSING OF OCSP REQUESTS DURING SSL HANDSHAKE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links